Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH 사용자 설명서
Chapter 10. FDB
|
281
NETGEAR 8800 User Manual
disable learning vlan <vlan-name>
Managing Egress Flooding
Egress flooding takes action on a packet based on the packet destination MAC address. By
default, egress flooding is enabled, and any packet for which the destination address is not in
the FDB is flooded to all ports except the ingress port.
default, egress flooding is enabled, and any packet for which the destination address is not in
the FDB is flooded to all ports except the ingress port.
You can enhance security and privacy as well as improve network performance by disabling
Layer 2 egress flooding on a port or VLAN. This is particularly useful when you are working
on an edge device in the network. Limiting flooded egress packets to selected interfaces is
also known as upstream forwarding.
Layer 2 egress flooding on a port or VLAN. This is particularly useful when you are working
on an edge device in the network. Limiting flooded egress packets to selected interfaces is
also known as upstream forwarding.
Note:
Disabling egress flooding can affect many protocols, such as IP and
ARP.
illustrates a case where you want to disable Layer 2 egress flooding on specified
ports to enhance security and network performance.
Figure 18. Upstream Forwarding or Disabling Egress Flooding Example
In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to
clients 1 and 2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and
2 are in the same VLAN, client 1 could possibly learn about the other client’s traffic by sniffing
client 2’s broadcast traffic; client 1 could then possibly launch an attack on client 2.
clients 1 and 2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and
2 are in the same VLAN, client 1 could possibly learn about the other client’s traffic by sniffing
client 2’s broadcast traffic; client 1 could then possibly launch an attack on client 2.
However, when you disable all egress flooding on ports 1 and 2, this sort of attack is
impossible, for the following reasons:
impossible, for the following reasons:
•
Broadcast and multicast traffic from the clients is forwarded only to the uplink port.
•
Any packet with unlearned destination MAC addresses is forwarded only to the uplink
port.
•
One client cannot learn any information from the other client. Because egress flooding is
disabled on the access ports, the only packets forwarded to each access port are those
packets that are specifically targeted for one of the ports. There is no traffic leakage.
packets that are specifically targeted for one of the ports. There is no traffic leakage.
Client 1
Uplink
port 3
port 3
Access Link
port 2
Access Link
port 1
ISP FW/
Security Proxy
Security Proxy
EXOS Switch
Access VLAN
Access VLAN
XOS004A
Client 2